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Regulators are way behind the game when it comes to wearable and loT 
privacy, and users are willingly conspiring with companies that don't care 
about them to help create a society of “uber-veillance”. 

That's the grim conclusion reached by Australian Privacy Foundation 
(APF) board member and University of Wollongong researcher Katina 
Michael in conversation with The Register. 

In light of the US Federal Trade Commission's warning at CES that it's 
watching the Internet of Things closely, Vulture South wondered how 
things might stand in Australia and asked Michael for her views on the 
topic. 

One of the things that makes it hard for a regulator to formulate privacy 
rules covering things like RunKeeper, Fitbits and the like is that so much 
of the privacy invasion seems almost voluntary. Users take the defaults of 
the product-plus-service, create a social media stream informing the 
world of everything from their sleep patterns to the distances and even 
places they walk, run, cycle - with too little understanding of just how 
much about them can be inferred from the data. 
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“We know about peoples' measurements - sleeping, health, where they 
are, who they're with, engaged in sex, walking, running, speeding, 
burning calories”, Michael told Vulture South. 

“How long does it take until we're constantly being monitored and 
tracked, and people are predicting our next action?” 

She noted that individuals don't realise how much trackers, and the 
companies that sell them, know about us, how companies use that 
information, nor how their policies let them on-sell that information.” 

She added that it's no longer a fiction that the services behind wearables 
and loT devices could know more about us - at least in specific areas - 
than we know ourselves. 

To Vulture South's scepticism, Michael answered “I'm busy: I can't count 
the number of steps, because I'm too busy walking. I can't count the 
calories I burn at the gym, or tell you the speed I walked, the distance I 
covered or the time I spent on a particular activity. 

“Spatio-temporal models know these things and can make inferences 
about what you're doing,” she explained. 

Michael reminded Vulture South that these models have been under 
development for decades. “I worked in a telecoms vendor for six years. 
We had voice and data traffic models; we were fairly accurate, we knew 
where traffic was coming from, where it was going to.” 

The advent of mobile telephony expanded both the data and the 
inference that could be drawn from it dramatically, she said, so that by 
1997-1998, she was able to find very good details that associated the 
individual to his or her behaviour. 

Since then, the data sources contained in just one device, the 
smartphone, have exploded: “Not only can we collect the personal data 
from the sensors - the GPS, the accelerometer, the altimeter, the 
temperature sensor, and make the speed/distance/time calculation,” she 
said, but it's now trivial to plot that against data amassed by Google's 
StreetView or national address files (the GNAF in Australia). 
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“I not only know your X and Y coordinate, I know the building name, what 
floor you visited,” she said, and since people are creatures of habit, the 
inferences that can be drawn from phone data alone are invasive and 
revealing. 

Add data from wearables and implantables, add consumer confusion 
about who owns the data (you don't, for example, own the data 
generated by “your” pacemaker, she said), and combine it with vague 
and liquid company privacy policies and user enthusiasm for self- 
publishing their “quantified self” data, and the emerging situation “blows 
the National Privacy Principles out of the water,” Michael said. 

“For example, you can easily bucket someone into categories - social 
sorting - 'I won't hire them because they're lazy, or they're not eligible for 
credit, or I won't insure them, or hike up the premium'. 

(For example, El Reg had its attention separately drawn to the AAMI 
“Safe Driver” app, which offers the inducement of rewards for the user to 
link back to the company. It's a short distance from carrot to stick.) 

“Flow long is it going to take before this data is used to make decisions 
that the person is not aware of?”, she continued, citing the possibility that 
a future user doesn't realise they're being charged a different insurance 
premium “because of the data you put online from the Fitbit?” 

Wearables, she said, are not so far in capability from state surveillance 
anklets (for example, that are used to monitor persons subject to control 
orders). “We're being duped into thinking they're liberating devices, when 
they're devices of enslavement,” she said. “And consumers aren't saying 
'uh-oh, there's a problem here'. They're saying 'bring it on!'” 

We're creating a world not of surveillance - that's already here - but of 
“uber-veillance” where the combination of data and analysis “gets inside 
your head” and increasingly predicts actions. 

Michael says it's also easy to imagine that non-participation - a decision 
to keep some data private - could draw a punitive response from the 
corporate world. 
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Today, she said, people pay attention to the idea that their “things” might 
be hacked, that their phones might be vulnerable. 

In the future, she said, “you won't be able to hide: you will get hit with 
fees for not disclosing.” 

Penalties for non-disclosure of metrics will, at least, offer one opportunity 
for regulators to act, and such opportunities will be few. 

Another spot where regulators could apply a wedge is in how devices 
and their associated apps treat privacy at purchase. 

“They shouldn't be automatic opt-in,” she said. Individuals might find it 
inconvenient in the short term, but instead of hiding poison pills on page 
nineteen of a document nobody reads, users should have to go through 
dialogues, understanding and okaying each of the invasions the 
wearable's maker hopes to achieve. 

“We get the devices, they have inherent policies built in and we're not 
told what could happen. The location information doesn't have to come 
built in and already enabled,” she said - it's just that's the preference of 
the vendor. 

Orwell's vision is already obsolete, she said, usurped by Google and a 
world that has you tagged. Until privacy watchdogs awake from their 
slumber, it's only users who can resist the cargo-cult tradeoff of their 
secrets for a shiny toy. ® 


Sponsored: Test Drive common database operations: provisioning, 
cloning, and database refresh 

Tips and corrections 

|_ Sign up to our Newsletter - Get IT in your inbox daily 


MORE Privacy Internet Of Things Wearables 


^ SHARE 


https://www.theregister.com/2015/01/13/its_already_too_late_for_privacy/ 



7/8/2020 


Welcome to 'uber-veillance' says Australian Privacy Foundation • The Register 
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